ossf / secure-sw-dev-fundamentals

Secure Software Development Fundamentals courses (from the OpenSSF Best Practices WG)
Creative Commons Attribution 4.0 International
179 stars 46 forks source link

Provide alternatives for telling the user that "an account with that email address already exists" during signup #134

Open TobiasWehrum opened 1 year ago

TobiasWehrum commented 1 year ago

In the "Minimize Feedback / Information Exposure" section, you write:

If a user tries to create an account using an email address, don't tell the user if an account with that email address already exists. [...] Providing that information would allow an attacker to determine if a specific email address is being used (or not) by some existing account.

I definitely see the point, but I'm not sure what the correct reaction would be.

I guess you could pretend to make the account, and end the flow with "Please confirm your account creation in the mail we sent you." and instead send a mail explaining that you or somebody else tried to make a new account with this mail despite one already existing? Or maybe just display a message like "If there isn't already an account registered to this email adress, we've sent you a mail!" similary to how you'd implement password reset?

david-a-wheeler commented 1 year ago

There are many ways to resolve it, but giving an example or two is a great way to help people actually do it. At the very least I like this example:

For example, when a user tries to create an account using an email address, the system could display "If there isn't already an account registered to this email address, we've sent you an email for you to confirm."

How about that?

TobiasWehrum commented 1 year ago

Would you not send a mail in case of a double registration explaining the situation? Maybe with a "I don't want to receive further notifications" to inhibit spam? I wonder if it does more good (i.e. less confusion if a user forgot their account and tries to register again) or harm (i.e. confusing and/or frighten users despite it being a potential non-issue), depending on how likely either of these cases is.

But apart from that, yeah, sounds good to me as an example.

As a side note... it seems to me that there are a few challenging scenarios here (e.g. wanting to allow people to use the account immediately after signing up even if they email address is not yet confirmed, or having a sign-up during a check-out process). Definitely more complexity than the password recovery scenario.